Before the Colonial Pipeline ransomware attack grabbed attention on the dangers posed by attacks on the CNI sector (critical national infrastructure), four such organizations in an unnamed South-East Asian country were targeted in an intelligence-gathering campaign that continued for several months, from at least November last year to March this year, Symantec revealed in new research.
The critical organizations targeted included a water company, a power company, a communications company, and a defense organization, with evidence that the attackers were interested in information about SCADA (supervisory control and data acquisition) systems.
“An attacker gaining access to multiple critical infrastructure organizations in the same country could potentially give malicious actors access to a vast amount of sensitive information,” Symantec said in a blog post. The company also determined that there are some indications that the attacker behind this campaign is based in China, but with the current information available, Symantec said it cannot attribute the activity to a known hacker.
Symantec cites numerous indications to prove that the same attacker was behind all the attacks, including the geographic and sector links of the targeted organizations, and the presence of certain artifacts on machines in the different organizations, including a downloader (found in two of the organizations), and a keylogger (found in three of the organizations). Researchers also determined that the same IP address was seen in attacks on two of the organizations.
Credential theft and lateral movement on victim networks seemed to be a key aim of the attacker, who made extensive use of ‘living-off-the-land’ tools in the campaign. “While we do not know what the initial infection vector used by the attacker to get onto targeted networks was, we do see how they moved through infected networks,” Symantec said in a whitepaper.
“The ability of the attacker to maintain a stealthy presence on the targeted networks for a number of months indicates they were skilled. Certain artifacts found on the victim machines indicate the attacker may be based in China, though it is not possible with the information we have to definitively attribute these attacks to a named actor,” the report added.
The first activity Symantec saw in the water company was the suspicious use of Windows Management Instrumentation (WMI). There is no indication of what infection vector was used to gain initial access to the machine. A legitimate free multimedia player called PotPlayer Mini was exploited by the attackers to load a malicious dynamic-link library (DLL).
FireEye has previously published research about how the PotPlayer Mini was susceptible to DLL search order hijacking. DLL search order hijacking is not a new technique, but Symantec does see it frequently leveraged by attackers to insert malicious files onto victim machines.
Symantec also saw PotPlayer Mini added as a service to launch a file called potplayermini.exe, and multiple dual-use and hacking tools launched, including ProcDump, PsExec and Mimikatz. ProcDump was used for credential theft by abusing the LSASS.exe process, and domain shares were enumerated using net view. Symantec then observed a suspected tunneling tool being launched on the system. The machine targeted by the attackers in this instance had tools on it that indicate it may have been involved in the design of SCADA systems.
Similar activity was detected in a company in the power sector. In that instance too, PotPlayer Mini was exploited to carry out DLL search order hijacking and ProcDump was deployed alongside another payload that we suspect was malware. Symantec also found that the attacker once again carried out credential theft by using ProcDump of the LSASS. exe process. There were indications here too that this machine may also have been involved in engineering design. There was some file overlap between the attacks on both the water and power company, as well as similar tactics used—pointing to the same attacker being behind both events.
In the case of the communications company, Symantec found that the attacker appeared to have exploited a different legitimate tool, Google Chrome Frame, with suspicious files appearing where chrome_frame_ helper.exe was the parent file. Google Chrome Frame is a plugin for Internet Explorer that enables rendering the full browser canvas using Google Chrome’s rendering engine.
It wasn’t clear if Google Chrome Frame was already present on the machine or if it was introduced by the attacker, however, it was the parent file of legitimate as well as suspicious files. PotPlayer Mini also appeared to be exploited on this machine by the attacker for malicious purposes.
In the attack on the defense organization, Symantec again found that PotPlayer Mini was exploited for DLL search order hijacking, as well as seeing some file overlaps between this organization and the communications and water companies.
Symantec data indicates that an increasing number of malicious hackers are attempting to attack organizations in the CNI sector, but the number of attackers successfully installing malware on the endpoint in the sector is trending down. Malicious attackers targeting this sector typically use living-off-the-land tools and techniques, as well as malware, to target and infect victims.
Attacks on CNI are primarily a global issue, with high-profile incidents have occurred in the U.S., Europe, and the Middle East. Such hacks become hard to contain or keep under wraps for affected businesses, leading to potential damage to business reputation as well as major effects on ordinary citizens. All these threats underline that organizations operating in the CNI sector need to have a robust cybersecurity strategy in place in order to keep their networks, equipment, and customers safe.
“While we cannot definitively say what the end goal of the attacker was in these attacks, information-stealing seems like the likeliest motive, given the activity we did see (credential stealing, lateral movement), and the types of machines targeted in some of the organizations (those involved in design or engineering),” Symantec said in its report. “The ability of the attacker to maintain a stealthy presence on the targeted networks for a number of months indicates they were skilled,” it added.
As targeted ransomware attacks steal data, take many weeks for services to recover once attacked, and the demand for ransoms are huge, they are one of the biggest cybersecurity threats for all sectors at the moment, and the CNI sector is no exception. The impact on the public caused by cyber attacks on CNI industries, such as essential services being forced offline for a period, also means that attacks on organizations in these sectors can be hard to keep from the public and media, potentially leading to awkward questions and possible damage to businesses’ reputations.
Symantec also highlighted that a unique challenge faced by the CNI sector is the effect cyber-physical attacks could have on the sector, with the prospect of attackers being able to destroy equipment or gain control of things like dams or electricity substations, a particular danger that this sector has to deal with.